﻿<?xml version="1.0" encoding="utf-8"?>
<sshma:Lithnet.SshMA xmlns:sshma="http://lithnet.local/Lithnet.SshMA.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <ma-capabilities>
    <delta-import>true</delta-import>
    <object-update-mode>AttributeUpdate</object-update-mode>
    <delete-add-as-replace>false</delete-add-as-replace>
    <object-rename-allowed>true</object-rename-allowed>
  </ma-capabilities>

  <schema>
    <schema-attributes>
      <schema-attribute name="accountName" multivalued="false" type ="string" operation="ImportExport"/>
      <schema-attribute name="expiryDate" multivalued="false" type="string" operation="ExportOnly"/>
      <schema-attribute name="accountDisabled" multivalued="false" type="boolean" operation="ExportOnly"/>
    </schema-attributes>

    <schema-objects>
      <schema-object object-class="user">
        <dn-format>{accountName}</dn-format>
        <attributes>
          <attribute>accountName</attribute>
          <attribute>expiryDate</attribute>
          <attribute>accountDisabled</attribute>
        </attributes>
      </schema-object>
    </schema-objects>
  </schema>

  <global-operations>
    <global-operation xsi:type="sshma:global-operation-ImportFullStart">
      <commands>
        <command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q list_principals > /home/svc-fim/deltas/lastrun.sshma</command>
      </commands>
    </global-operation>
    <global-operation xsi:type="sshma:global-operation-ImportDeltaEnd">
      <commands>
        <command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q list_principals > /home/svc-fim/deltas/lastrun.sshma</command>
      </commands>
    </global-operation>
      <!--
      <global-operation xsi:type="sshma:global-operation-ImportFullEnd"/>
    <global-operation xsi:type="sshma:global-operation-ImportDeltaStart"/>
    <global-operation xsi:type="sshma:global-operation-ExportStart"/>
    <global-operation xsi:type="sshma:global-operation-ExportEnd"/>
    <global-operation xsi:type="sshma:global-operation-PasswordStart"/>
    <global-operation xsi:type="sshma:global-operation-PasswordEnd"/>-->
  </global-operations>

  <object-operations object-class="user">
    <object-operation xsi:type="sshma:object-operation-ImportFull">
      <commands>
        <command result-has-objects="true" success-codes="0">cat /home/svc-fim/deltas/lastrun.sshma</command>
      </commands>
      <import-mapping>
        <object-extract><![CDATA[^(?<accountName>.*?)@.*$]]></object-extract>
        <object-filters>
          <object-filter attribute="accountName" operator="Equals">svc-fim</object-filter>
          <!--<object-filter attribute="accountName" operator="NotEquals">rnew0001</object-filter>
          <object-filter attribute="accountName" operator="NotEquals">testuser1</object-filter>-->
          <object-filter attribute="accountName" operator="NotContains">rnew</object-filter>
        </object-filters>
      </import-mapping>
    </object-operation>

    <object-operation xsi:type="sshma:object-operation-ImportDelta">
      <commands>
        <command result-has-objects="true" success-codes="0">/home/svc-fim/dev/fim_kerberos_delta/delta_maker.py</command>
      </commands>
      <import-mapping>
        <object-extract><![CDATA[^(?<changeType>.*?):(?<accountName>.*?)@.*$]]></object-extract>
        <object-filters>
          <object-filter attribute="accountName" operator="Equals">svc-fim</object-filter>
        </object-filters>
        <modification-type-mappings capture-group-name="changeType" unexpected-modification-type-action="ignore">
          <modification-type-add>add</modification-type-add>
          <modification-type-replace>replace</modification-type-replace>
          <modification-type-delete>delete</modification-type-delete>
        </modification-type-mappings>
      </import-mapping>
    </object-operation>

    <object-operation xsi:type="sshma:object-operation-ExportAdd">
      <commands>
        <command rule-id="AccountDisabledIsTrue">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal [-expire {expiryDate} ]-randkey -allow_tix {dn}"</command>
        <command rule-id="AccountDisabledIsFalse">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal [-expire {expiryDate} ]-randkey +allow_tix {dn}"</command>
        <command rule-id="AccountDisabledIsNotPresent">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal [-expire {expiryDate} ]-randkey {dn}"</command>
      </commands>
    </object-operation>

    <object-operation xsi:type="sshma:object-operation-ExportModify">
      <commands>
        <command rule-id="AccountDisabledIsTrue">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "modify_principal -allow_tix {dn}"</command>
        <command rule-id="AccountDisabledIsFalse">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "modify_principal +allow_tix {dn}"</command>
        <command rule-id="ExpiryDateHasChanged">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "modify_principal -expire \"{expiryDate}\" {dn}"</command>
        <command rule-id="AccountNameHasChanged">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "delete_principal -force {dn}"</command>
        <command rule-id="AccountNameHasChanged">/usr/kerberos/sbin/kadmin -p svc-fim -k -q "add_principal -randkey {accountName}"</command>
      </commands>
    </object-operation>

    <object-operation xsi:type="sshma:object-operation-ExportDelete">
      <commands>
        <command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q "delete_principal -force {dn}"</command>
      </commands>
    </object-operation>

    <object-operation xsi:type="sshma:object-operation-PasswordSet">
      <commands>
        <async-command>
          <!--
          <send-when expect="$ " timeout="5">echo /usr/kerberos/sbin/kadmin -p svc-fim -k</send-when>
          <send-when expect="$ " timeout="5">echo cpw {dn}</send-when>
          <send-when expect="$ " timeout="5">echo {newpassword}</send-when>
          <send-when expect="$ " timeout="5">echo {newpassword}</send-when>
          <success-when expect="$ " timeout="5"/>
          -->
          <send-when expect="$ " timeout="5">/usr/kerberos/sbin/kadmin -p svc-fim -k</send-when>
          <send-when expect="kadmin:  " timeout="5">cpw {dn}</send-when>
          <send-when expect="Enter password for principal &quot;{dn}&quot;: " timeout="5">{newpassword}</send-when>
          <send-when expect="Re-enter password for principal &quot;{dn}&quot;: " timeout="5">{newpassword}</send-when>
          <success-when expect="Password for &quot;{dn}@CC.MONASH.EDU.AU&quot; changed." timeout="5"/>
        </async-command>
        <!--<command>/usr/kerberos/sbin/kadmin -p svc-fim -k -q "cpw -pw {newpassword} {dn}"</command>-->
      </commands>
    </object-operation>
  </object-operations>

  <rules>
    <rule-group xsi:type="sshma:rule-group" id="AccountDisabledIsTrue" operator="And">
      <rule-ref rule-id="AccountDisabledIsPresent"/>
      <rule xsi:type="sshma:rule-SingleValuedAttributeValueRule" id="AccountIsDisabled" attribute="accountDisabled" operator="Equals" value="true"/>
    </rule-group>
    <rule-group xsi:type="sshma:rule-group" id="AccountDisabledIsFalse" operator="And">
      <rule-ref rule-id="AccountDisabledIsPresent"/>
      <rule xsi:type="sshma:rule-SingleValuedAttributeValueRule" id="AccountIsEnabled" attribute="accountDisabled" operator="Equals" value="false"/>
    </rule-group>
    <rule xsi:type="sshma:rule-AttributePresenceRule" id="AccountDisabledIsPresent" attribute="accountDisabled" operator="IsPresent"/>
    <rule xsi:type="sshma:rule-AttributePresenceRule" id="AccountDisabledIsNotPresent" attribute="accountDisabled" operator="NotPresent"/>
    <rule xsi:type="sshma:rule-AttributeChangeRule" id="AccountNameHasChanged" attribute="accountName" triggers="Update"/>
    <rule xsi:type="sshma:rule-AttributeChangeRule" id="ExpiryDateHasChanged" attribute="expiryDate" triggers="Add,Update"/>
  </rules>

</sshma:Lithnet.SshMA>